this week in security — july 28 edition
|MC_PREVIEW_TEXT|
** ~this week in security~
a cybersecurity newsletter by @zackwhittaker (https://twitter.com/zackwhittaker)
volume 2, issue 29.
View this email in your browser (|ARCHIVE|) ~ ~
** THIS WEEK, TL;DR
FTC hits Facebook with $5 billion penalty and new privacy measures (https://www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions) FTC: A record fine for a record screw-up. The FTC’s settlement with Facebook will mean it pays $5B in fines and will have to improve its privacy record. The fine comes in the wake of several significant (https://techcrunch.com/2019/04/25/facebook-privacy-investigations/) security lapses and breaches and the scandal embroiling Cambridge Analytica, which was also fined (https://techcrunch.com/2019/07/24/ftc-also-sues-cambridge-analytica-settles-with-former-ceo-and-app-developer/) after it siphoned off millions of records for voter profiling. The analytics firm . Former FTC chief technologist @ashk4n (https://twitter.com/ashk4n/status/1154011894732087296) had a good tweet thread on the case and what it means. In short, now the buck really stops with Zuck. More: NPR (https://www.npr.org/2019/07/28/745949428/did-facebook-ceo-mark-zuckerberg-intend-to-deceive) | @leakissner (https://twitter.com/leakissner/status/1154021009705406466?s=21)
Marcus Hutchins sentenced to time served for selling Kronos malware (https://techcrunch.com/2019/07/26/marcus-hutchins-sentenced-kronos/) TechCrunch: Marcus Hutchins, the malware researcher who stopped (https://techcrunch.com/2019/07/08/the-wannacry-sinkhole/) the WannaCry ransomware attack, is a free man. He was sentenced to time served by a judge in Milwaukee after he pleaded guilty to two counts of creating and selling the Kronos malware. The judge said he was young, has done good work since, and putting him away would be harmful for security. “Security is everything,” said the judge. Great lawyering by @marciahofmann (https://twitter.com/marciahofmann/status/1154819621595373568) and @brianeklein (https://twitter.com/brianeklein) who represented him pro-bono. (Disclosure: I wrote this story.) More: TechCrunch (https://techcrunch.com/2019/07/08/the-wannacry-sinkhole/) | Cyberscoop (https://www.cyberscoop.com/teenage-hackers-police-britain-netherlands/)
Government contractor drops exploit code for the BlueKeep flaw (https://www.vice.com/en_us/article/wjvvvb/cybersecurity-firm-drops-code-for-the-incredibly-dangerous-windows-bluekeep-vulnerability) Motherboard: A cybersecurity firm and government contractor has released exploit code for the highly dangerous and “wormable” BlueKeep vulnerability. So far it’s only accessible to paying subscribers of the pen-testing firm’s but many have criticized (https://twitter.com/GossiTheDog/status/1154427860708450306) the decision to allow others to use it. More than a million internet-exposed machines are affected — not to mention the many more that are behind firewalls. More: @GossiTheDog (https://twitter.com/GossiTheDog/status/1154427860708450306) | @ImmunityInc (https://twitter.com/Immunityinc/status/1153752470130221057)
Equifax to pay at least $575 million over 2017 data breach (https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related) FTC: A double-whammy for the FTC this week: Equifax will pay at least $525M and up to $700M for its 2017 data breach. Remember it took four months(!) for the company to even come clean that its servers had been raided, exposing close to 150M Americans’ credit files. The breach was entirely preventable (https://techcrunch.com/2018/12/10/equifax-breach-preventable-house-oversight-report/) had the company installed the necessary security patches, according to a House committee, which Equifax didn’t do. You can check to see if you are affected and can claim through the FTC’s website (https://www.consumer.ftc.gov/blog/2019/07/equifax-data-breach-settlement-how-claim-your-benefits) . More: FTC (https://www.consumer.ftc.gov/blog/2019/07/equifax-data-breach-settlement-how-claim-your-benefits) | Background: TechCrunch (https://techcrunch.com/2018/12/10/equifax-breach-preventable-house-oversight-report/)
NSA forms cybersecurity directorate (https://www.wsj.com/articles/nsa-forms-cybersecurity-directorate-under-more-assertive-u-s-effort-11563876005) Wall Street Journal ($): The NSA has a new cybersecurity directorate, soon to be run by Anne Neuberger. It’s part of a new effort by the NSA to align the agency’s cyber offensive and defensive operations, reports @dnvolz (https://twitter.com/dnvolz) . The directorate opens October 1. The NSA even has a handy FAQ on what the directorate does… but doesn’t really say that much (unsurprisingly). More: NSA (https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1912825/faq-nsacss-cybersecurity-directorate/) | Cyberscoop (https://www.cyberscoop.com/nsa-cybersecurity-directorate/)
QuickBooks host hit by ransomware attack (https://krebsonsecurity.com/2019/07/quickbooks-cloud-hosting-firm-insynq-hit-in-ransomware-attack/) Krebs on Security: Cloud hosting firm Insynq was hit by ransomware that shut down its networks and left customers unable to get access to their tax and financial backups. Many complained on Twitter about the lack of communication. Insynq’s chief executive eventually came clean (https://blog.insynq.com/blog/an-update-from-the-ceo) in a statement. At the time of writing, the company claims 96% of its customers have access to their files. More: Insynq (https://krebsonsecurity.com/2019/07/quickbooks-cloud-hosting-firm-insynq-hit-in-ransomware-attack/)
Apple contractors ‘regularly hear’ Siri conversations, says whistleblower (https://www.theguardian.com/technology/2019/jul/26/apple-contractors-regularly-hear-confidential-details-on-siri-recordings) The Guardian: Apple contractors regularly hear confidential medical information, drug deals, and recordings of couples having sex, as part of their job providing quality control, or “grading,” the company’s Siri voice assistant, according to The Guardian. Although the recordings are said to be anonymous and are used to make Siri better, the company does not explicitly state that that work is undertaken by humans who listen to the pseudonymised recordings. Some of the recordings include user location, contact details and app data, the whistleblower said. More: Ars Technica (https://arstechnica.com/gadgets/2019/07/siri-records-fights-doctors-appointments-and-sex-and-contractors-hear-it/)
Advanced mobile surveillanceware, made in Russia, found in the wild (https://arstechnica.com/information-technology/2019/07/advanced-mobile-surveillanceware-made-in-russia-found-in-the-wild/) Ars Technica: New powerful malware, said to be developed by a Russian defense contractor, has been uncovered. The malware, known as Monokle, can reset a user’s pincode, make calls, take photos and screenshots, record calls, log passwords and more. It’s believed the malware was developed for both Android and iOS, the researchers said. More: Cyberscoop (https://www.cyberscoop.com/gru-android-surveillance-lookout/) | Lookout (https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf) ~ ~
** THE STUFF YOU MIGHT’VE MISSED
Robinhood admits to storing some passwords in cleartext (https://www.zdnet.com/article/robinhood-admits-to-storing-some-passwords-in-cleartext/) ZDNet: This is starting to get embarrassing… Robinhood follows in the footsteps of GitHub, Twitter, Facebook and Google inadvertently storing user passwords in plaintext. The finance app wouldn’t say how many accounts were affected but that passwords had since been secured with bcrypt.
Ransomware knocks South African city’s electricity offline (https://www.bbc.com/news/technology-49125853) BBC News: In a rare if not unprecedented incident, ransomware infected a major electricity supplier in Johannesburg, South Africa’s largest city, leaving some residents without power. “It has encrypted all our databases, applications and network,” the energy company tweeted (https://twitter.com/CityofJoburgZA/status/1154355405658759168) . As many as a quarter of a million residents may have been affected.
New York to consider ban of phone location data (https://www.nytimes.com/2019/07/23/nyregion/cellphone-tracking-location-data.html) The New York Times ($): After the location data sharing scandal last year (https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile) , New York is mulling a ban on cell phone companies selling that data to third-parties. The bill (https://legistar.council.nyc.gov/LegislationDetail.aspx?ID=4069480&GUID=6FA8018C-84A4-4E71-93CE-D467AD53E9EA&Options=ID|Text) was introduced Tuesday.
U.K. police copied EU crime database data ahead of Brexit (https://www.theguardian.com/uk-news/2019/jul/27/nca-harvesting-eu-databases-owing-to-risk-of-no-deal-brexit) The Guardian: The U.K.’s National Crime Agency — a bit like the British FBI — harvested data on 54,000 files including criminals, terrorists and missing persons from an EU database ahead of what’s expected to be a no-deal Brexit, a leaked document has confirmed. The data will give police access to EU data if the U.K. falls out of the EU without a deal. EU lawmaker @SophieintVeld (https://twitter.com/SophieintVeld/status/1154689216170926080) has filed several questions with the EU to find out what happened. ~ ~
** OTHER NEWSY NUGGETS
U.K. government announces its Telecoms Supply Chain Review (https://www.gov.uk/government/publications/telecoms-supply-chain-review-terms-of-reference) Per BBC security correspondent @gordoncorera (https://twitter.com/gordoncorera/status/1153361629658177537) , the U.K. has a new telecoms supply chain review program that outlines security requirements and the need for tech diversity for critical systems. This was throwing shade at Huawei, but deferred any decision on whether to allow its technology in the U.K.
Facebook flaw let thousands of kids chat with unauthorized users (https://www.theverge.com/2019/7/22/20706250/facebook-messenger-kids-bug-chat-app-unauthorized-adults) Facebook’s Messenger Kids had one job — don’t let kids talk to unauthorized users — but a design flaw allowed exactly that. “We turned off the affected chats and provided parents with additional resources on Messenger Kids and online safety,” said Facebook. The news literally came two days before the aforementioned FTC settlement.
U.S. attorney general: Americans should accept crypto backdoor risks (https://techcrunch.com/2019/07/23/william-barr-consumers-security-risks-backdoors/) William Barr said at a speech this week (https://techcrunch.com/2019/07/23/william-barr-consumers-security-risks-backdoors/) that Americans should effectively allow backdoors because the risks are slim and it’s not like consumers are storing the U.S. nuclear codes on their phone. Yeah, that happened. (Disclosure: I also wrote this story.) Barr continues to push for backdoors but fails to mention all the hacking tools (https://www.vice.com/en_us/article/neaadm/barr-says-police-need-backdoors-doesnt-mention-hacking-cellebrite-graykey) the DOJ has at its disposal. Cryptographer @mattblaze (https://twitter.com/mattblaze/status/1153708198718840832) said Barr’s argument was “flat-earth bizarre” and Sen. Ron Wyden (https://twitter.com/RonWyden/status/1153765200522358786) said if the U.S. had those backdoor access they would inevitably be abused.
Synology warns of flaw amid worry over ransomware (https://www.synology.com/en-global/company/news/article/2019JulyRansomware) Synology, a maker of networked drives, warned of an attack that could compromise user’s devices and data was encrypted — essentially like a ransomware attack. The company warned users to change their device passwords. There have already been several victims, according to the company. ~ ~
** THE HAPPY CORNER
Here’s some good news from the week:
I mentioned earlier that Anne Neuberger is set to take on the cybersecurity helm at the NSA — that now means DHS, FBI, CIA, and NSA all have women (https://twitter.com/KennethGeers/status/1153794269653508096) in senior leadership positions across the U.S. intelligence and law enforcement space. I’d say that’s a pretty big win for diversity.
And, per @MalwareJake (https://twitter.com/MalwareJake/status/1155190166404902912) and on a similar note, the @DianaInitiative (https://twitter.com/DianaInitiative) has announced its lineup for its 2019 conference. @RayRedacted (https://twitter.com/RayRedacted/status/1155188890795413505) has the details: 52 speakers and the majority are women and non-binary folk. If you want to nominate some good news from the week, feel free to reach out: zack.whittaker@gmail.com (mailto:zack.whittaker@gmail.com?subject=Newsletter%20Happy%20Place) . ~ ~
** THIS WEEK’S CYBER CATS
This week’s cybercats are Natasha (left) and Boris (right). В России кот шпионит за тобой! A big thanks to @Riana_Crypto (https://twitter.com/Riana_Crypto) for the submission! (You may need to enable images in this email.) And an honorable mention to Larry, the U.K. government’s cat (it’s a thing, really (https://www.bbc.co.uk/news/uk-politics-49049852) ), who got a new prime minister this week. Larry’s official title (https://en.wikipedia.org/wiki/Larry_(cat)) is Chief Mouser to the Treasury.
If you want your cybercat featured, please submit them here (mailto:zack.whittaker@gmail.com?subject=Cyber%20Cat%20submission&body=Please%20include%20a%20JPG%20of%20your%20cyber%20cat%2C%20their%20name%2C%20and%20also%20your%20name%20and%20Twitter%20handle%20if%20you%20want%20credit.%20) ! ~ ~
** SUGGESTION BOX
That’s all for now. Hope you have a great week. If you have any feedback, feel free to drop it in the suggestion box (https://docs.google.com/forms/d/e/1FAIpQLSebkpf8z8TvMJoixuSzmrR-CTLcOv_ufF7voso1HZBI_f5zrw/viewform) . And safe travels to Vegas! ~ ~
============================================================ (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) Tweet (http://twitter.com/intent/tweet?text=|URL:MC_SUBJECT|: |URL:ARCHIVE_LINK_SHORT|) (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) Share (http://www.facebook.com/sharer/sharer.php?u=|URL:ARCHIVE_LINK_SHORT|) (|FORWARD|) Forward (|FORWARD|)
This email was sent to |EMAIL| (mailto:|EMAIL|) why did I get this? (|ABOUT_LIST|) unsubscribe from this list (|UNSUB|) update subscription preferences (|UPDATE_PROFILE|) |LIST_ADDRESSLINE_TEXT|